Simon Clayton of RefTech guides us through the questions you need to ask when choosing an event management system:
Events capture a lot of data and protecting the personal data of delegates should be of utmost priority for all event managers. You may be thinking “who on earth would want to hack the personal information of the delegates at an accounting conference” but it might surprise you to learn that if you bring a machine up on the internet then it can only take a few minutes for that machine to start being attacked and the attacks never stop. A lot of them might only be “script kiddies” who are running simple attacking scripts they found on the internet but you’ve got to stay vigilant!
There is a plethora of event management systems available – but they are not all the same. Whilst many have lots of bells and whistles, you need to make sure that they have robust and thorough security measures needed to protect your data. Here’s a few pointers for you to consider when you review the system you are using or about to buy:
Does your system provider have an HTTPS website?
The data you input into your event management system will be sitting on a cloud somewhere – and every time you log in to review it, it is transferred to you across the internet. Your provider’s website MUST be HTTPS (Hyper Text Transfer Protocol Secure) because it means that all communications between your browser and their website – including your data – are encrypted and therefore more secure. Also ask your provider if they have HSTS enabled (HTTP Strict Transport Security) which I won’t explain where but it will help prevent you from a “man in the middle” attack when you are on public Wi-Fi.
Does your event management system have 2FA (two factor authentication)?
2FA is all over the place these days with a lot of websites offering it for users to protect their accounts and for extremely good reasons. It’s a security process that requires a second level of security; as well as a username and password, 2FA will ask for another code that is time based and can be generated by the mobile phone of the person logging in. Having 2FA massively reduces your chances of someone stealing credentials and logging in as you which is vital in protecting data. This is especially the case if you are using public Wi-Fi to log in (as many event profs do) because even if your password is captured via the Wi-Fi, someone can’t log in as you because the 2FA code changes frequently.
If there’s one thing you take away from this article – make it that you enable 2FA on EVERY website you can!
Does the system have login alerts?
Many online accounts will alert you if your details are being used to log in from a device that you haven’t used before. If your event management system has this it will mean that you will know if someone tries to use your login details. Some may even provide the option of kicking the user off that machine immediately if you don’t recognize it.
Does the system show a record of your logins?
The really robust systems will allow you to see a detailed record of the last times, dates and devices that you have logged in from. You can review these to see if anything untoward has occurred and also use it to delete devices that are no longer in use or have been lost or stolen. Reviewing and tidying this list from time to time is another step to keeping your event data secure.
Can you restrict who has access to reports?
Many data breaches are actually internal – either accidentally or on purpose. Sharing information by mistake, or downloading information before moving to a competitor (it does happen). Downloaded reports are valuable and should not be overlooked. You will probably have staff members who you are happy to access records and edit, but that have no legitimate requirement to download the information. A few systems will let you restrict report access only to those who need it, and only give access to the reports that a staff member will need to do their job. It’s another easy step to implement to help ensure that your data doesn’t fall into the wrong hands.
Also, if you have 2FA enabled on your account then a great system will insist you enter a 2FA code before you can download the report as an extra layer or protection.
Does the system lock you out after several failed password attempts?
If someone tries to use your password to log in unsuccessfully, any good system will only tolerate a set number of tries before flagging up this potential problem, and even locking the user out of the system for a while. Whilst this can be annoying if it’s actually you that’s got your password wrong, this is a very good deterrent for the would-be hacker using automated password cracking tools.
Does the system create an audit trail for each event?
Having an audit trail – showing who logged on and when, and what data they accessed – is essential to prove that you have robust organisational and technical security but you need to look at these logs regularly to make sure nothing untoward is happening. Ask if your system can do this because it’s another way of staying in control of your data and ensuring it is protected. It can also help you should you have a data breach and are investigated.
Can staff limit or turn off security?
Despite all the good intentions you may have, there could be one person in the team that regards the 2FA process as a pain and so disables it. The most secure systems allow an event to be flagged as requiring 2FA and would block a user without 2FA from accessing those events. A good system puts you in control and lets you set the security parameters so that you can insist that your team is following the measures that you have, quite rightly, implemented.
Event management systems can be amazing tools, and with the right questions you can make sure yours is not only good for organising events, but is a helpful ally in the war we are all fighting for data protection.